vendor:
Internet Explorer
by:
SecurityFocus
7.5
CVSS
HIGH
Cross-Domain Scripting Security-Bypass
16
CWE
Product Name: Internet Explorer
Affected Version From: Internet Explorer 6
Affected Version To: Internet Explorer 8 Beta 1
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008
Microsoft Internet Explorer Cross-Domain Scripting Security-Bypass Vulnerability
Microsoft Internet Explorer is prone to a cross-domain scripting security-bypass vulnerability because the application fails to properly enforce the same-origin policy. An attacker can exploit this issue to change the location of a frame from a different domain. This allows the attacker to execute arbitrary code in a frame of the same window as content from a different domain. Successful exploits will allow the attacker to access information from the parent document via DOM components that are not domain-reliant (such as the 'onmousedown' event).
Mitigation:
Enforce the same-origin policy properly.